[Samba] account locks not working ssh/winbind?
Rowland Penny
rpenny at samba.org
Thu Apr 26 09:40:06 UTC 2018
On Thu, 26 Apr 2018 11:18:10 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai Rowland,
>
> Thanks for the reply. Ok so we suspect and buggie pam module
>
> The pam.d/ssh is the default
>
> @include common-auth
> account required pam_nologin.so
> @include common-account
> session [success=ok ignore=ignore module_unknown=ignore
> default=bad] pam_selinux.so close session required
> pam_loginuid.so session optional pam_keyinit.so force revoke
> @include common-session
> session optional pam_motd.so motd=/run/motd.dynamic
> session optional pam_motd.so noupdate
> session required pam_limits.so
> session required pam_env.so user_readenv=1
> envfile=/etc/default/locale session [success=ok ignore=ignore
> module_unknown=ignore default=bad] pam_selinux.so open
> @include common-password
>
> But what i dont understand is this line:
> > Apr 25 07:00:07 hostname1 sshd[27490]: pam_winbind(sshd:setcred):
> > user 'username' OK
>
> pam_winbind(sshd:setcred)
Yes, but it is AFTER the user is allowed access and 'setcred' means (to
me at least) 'set the credential for next time', but I am not an expert
here ;-)
> I'll go search for this a bit, and start with the build of 4.8.1
> while doing that.
I would hang on with that, Denis has just asked if the 'don't upgrade
to 4.8.0 bug' has been fixed, it isn't mentioned in the release notes.
It seems to have gone in, just not mentioned in the release notes (at
least I hope that is the case)
>
> I forgot the pam winbind config, this one is used also.
>
> If anyone has ideas or suggestion where to look, please add them.
> Because this should never happen.. To be able to login with an locked
> account.
Thing is, how do you tell ssh that an account is locked ?
Rowland
More information about the samba
mailing list